Practice under scrutiny for referrals faxing error
Peter Harris, BSc, LLB, LLM (Hons), Associate, Avant Law
Thursday, 3 February 2022
A case where multiple medical records were faxed to a wrong number, reminds both doctors and practices to move away from less secure methods such as fax, when sending patient information.
A medical practice had intended for patient referrals to be faxed to a psychologist. Unfortunately, the wrong number was entered into the practice’s referral details address book, which belonged to a member of the public who continued to receive the referrals for the next two years.
Faxing error goes unnoticed
The man who received the faxes did not contact the practice as he did not want to alarm the patients but, as the faxes continued to arrive, he decided to contact a newspaper with his story.
He estimated he had received the documents of approximately 10 patients over two years, most of which he disposed of straight away. These included detailed medical histories and mental health plans for patients diagnosed with severe anxiety, depression and sleep disorders. The documents also contained personal information including names, birth dates, Medicare numbers and addresses.
The practice discovered the data breach had been caused by human error. This involved mixing up the digits of the fax number when the psychologist’s contact details were put into the practice’s referral details address book.
The error went unnoticed as the GP gave a hard copy of each referral to the patient to take to the psychologist. Therefore, the psychologist didn’t realise they were missing the faxes.
Avant support for the practice
Avant Law assisted the practice by assessing the data breach, notifying the Office of the Australian Information Commissioner (OAIC), and in taking remedial action. Our team also reviewed the practice’s privacy and information security policies and liaised with the privacy regulator on the practice’s obligations under the Privacy Act. With this support, the practice was able to satisfy the OAIC that this was a singular event, and their remedial action meant no further action needed to be taken by the regulator. As such, the practice avoided any fines or sanctions in respect of the data breach.
As part of the remediation and review of the data breach, Avant’s risk advisers also reviewed the practice’s existing data protection and privacy protocols and provided targeted risk education for all the staff on privacy and information security.
If you or your practice experience a data breach, it’s important to notify Avant immediately*.
From the time the data breach is identified, the person or practice has 30 days to assess the breach and make a notification, if required, to the OAIC. Subject to the terms and conditions of your policy, Avant can assist you to assess whether the data breach must be notified to the OAIC. This applies to breaches that are likely to result in serious harm to individuals and remedial action is not considered to prevent the likelihood of harm.
Secure email for sending patient information
According to an OAIC report released last year, human error is second only to criminal attacks as the main reason for data breaches. Information being sent to the wrong recipient (by email, post, or other means) due to human error is the primary cause of data breaches.
The RACGP supports phasing out faxed communication, calling it ‘dated technology.' The RACGP’s recent position statement: ‘Safe and effective transfer of information to and from general practice’ advocates for the use of secure messaging systems because they are the safest, most secure and most efficient communication method. These are explained in the position statement: “Every effort should be made to secure it as much as possible, through the use of password protection, encryption software, or via a secure website with passwords requiring multi-factor authentication,” the guidelines state.
Privacy laws state that you can use any method of communication as long as you take reasonable steps to protect the privacy of the patient and the security of their health information.
Practices should use the most secure messaging delivery system available to it to send patient information. The benefits of sending sensitive information via secure messaging and encrypted email are that they are more secure than fax. Furthermore, if there is an error in the email address, it’s more likely the email would ‘return to sender,’ rather than being sent to a random recipient and the content would not be accessible.
Ideally, the most patient-centred approach would be to discuss with your patient the best method of communication. However that may be difficult to implement in practice for all patients. If this is the case, you can send information by unencrypted email after making the patient aware that this is not a secure form of communication.
- Transmission protocols required to send faxes are very outdated. If you are communicating patient information, it should be sent via email using password protection, encryption software or via a secure website.
- When updating contact information always verify the contact number or email address, to avoid information ending up in the wrong hands.
- Do not use auto populated options for email addresses.
- If you or your practice experience a data breach, ensure that you conduct a timely and thorough assessment of the breach.
- Consider drafting a data breach response plan, which should include a communications plan that covers how to deal with media inquiries. Privacy breaches can attract media interest and a timely response may help maintain your reputation and minimise the impact for any affected patients.
- It’s important to notify Avant immediately so an assessment can be performed and the OAIC notified, if necessary, within the 30-day period.
- Factsheet: Responding to data breaches
- Resource: Data breaches: all you need to know
- Resource: Email communication with patients: privacy and patient safety
- Resource: Steps to protect your practice from a cyber security incident
IMPORTANT: The Practice Medical Indemnity Policy is issued by Avant Insurance Limited, ABN 82 003 707 471, AFSL 238 765. This policy wording is available at www.avant.org.au or by contacting us on 1800 128 268. Practices may need to consider other forms of insurance including directors’ and officers’ liability, public and products liability, property and business interruption insurance, and workers compensation.
The case discussed in this article is based on a real case. Certain information has been de-identified to preserve privacy and confidentiality.
This publication is not comprehensive and does not constitute legal or medical advice. You should seek legal or other professional advice before relying on any content, and practise proper clinical decision making with regard to the individual circumstances. Persons implementing any recommendations contained in this publication must exercise their own independent skill or judgement or seek appropriate professional advice relevant to their own particular practice. Compliance with any recommendations will not in any way guarantee discharge of the duty of care owed to patients and others coming into contact with the health professional or practice. Avant is not responsible to you or anyone else for any loss suffered in connection with the use of this information. Information is only current at the date initially published.